Beta cookies.ie is in public beta — found a bug or have feedback? Tell us →
cookies.ie

← All fixes

Your site has no cookie banner

ePrivacy requires informed consent before any non-essential cookie. No banner means no consent, which means every analytics or marketing cookie on the site is unlawful from the first page view.

TL;DR
  • Add a consent banner that shows on the first page load.
  • Don't load analytics, marketing, or chat-widget scripts until the visitor clicks Accept.
  • The banner must offer a "Reject all" option with the same prominence as "Accept".

What the law says

In Ireland, cookie consent is governed by the ePrivacy Regulations (S.I. 336/2011), which implement EU Directive 2002/58/EC. Regulation 5(3) requires that a service provider give the user "clear and comprehensive information" about cookies and obtain the user's consent before storing or accessing information on their device.

The Data Protection Commission's guidance note on cookies (April 2020) makes three things explicit: implied consent is not valid, pre-ticked boxes are not valid, and continuing to browse is not valid. Consent must be a clear, affirmative action.

The exception is "strictly necessary" cookies — session IDs, CSRF tokens, load-balancer cookies, and cookies that remember what's in a shopping cart. Those can be set without consent. Analytics and marketing cookies cannot, even if they're "first-party" or "anonymised".

Why it matters

The DPC has run active cookie sweeps since 2020 and has issued public infringement decisions against Irish public-sector sites, media publishers, and private companies. Enforcement typically starts with a complaint or a sweep finding, and escalates to a binding decision with a deadline to fix. Beyond regulatory risk, a missing banner also exposes you to GDPR Article 6 liability for any personal data processed through those trackers without a lawful basis.

How to fix it

You need three things working together:

  1. A banner shown to every visitor on their first page load.
  2. A gate — your non-essential scripts must not load until the visitor accepts.
  3. A preference centre so visitors can change their mind later.

Option 1: use a CMP

A Consent Management Platform handles the UI, consent storage, and script gating for you. Options commonly used by Irish sites include Cookiebot, OneTrust, Didomi, Usercentrics, Osano, and Iubenda. The cookies.ie CMP (Phase 2) is built specifically for Irish ePrivacy defaults — equal-prominence Reject, no dark patterns, EU-hosted consent logs.

Whichever CMP you pick, check: (1) Reject is a one-click button on the first layer, not hidden behind "Manage preferences"; (2) the CMP actually blocks scripts rather than firing them and hoping for forgiveness; (3) consent logs are retained so you can demonstrate compliance to the DPC if asked.

Option 2: roll your own (for simple sites)

If your site only uses one or two trackers, a self-hosted banner is reasonable. The minimum shape: 

<div id="consent-banner" hidden>
  <p>We use cookies to analyse traffic. You can accept or reject non-essential
     cookies. <a href="/cookie-policy">Read our cookie policy.</a></p>
  <button id="accept-all">Accept all</button>
  <button id="reject-all">Reject all</button>
</div>

<script>
  const stored = localStorage.getItem('consent');
  if (!stored) document.getElementById('consent-banner').hidden = false;

  document.getElementById('accept-all').onclick = () => {
    localStorage.setItem('consent', 'accepted');
    document.getElementById('consent-banner').hidden = true;
    loadAnalytics();
  };
  document.getElementById('reject-all').onclick = () => {
    localStorage.setItem('consent', 'rejected');
    document.getElementById('consent-banner').hidden = true;
  };

  if (stored === 'accepted') loadAnalytics();

  function loadAnalytics() {
    // Only now load the analytics script tag — do not ship it in HTML.
    const s = document.createElement('script');
    s.src = 'https://www.googletagmanager.com/gtag/js?id=G-XXXXXXX';
    document.head.appendChild(s);
  }
</script>

This is the bare minimum and not production-grade. It doesn't log consent server-side, doesn't offer a preference centre, and doesn't handle consent expiry. For anything beyond a brochure site, use a CMP.

Option 3: remove the trackers

If you only need basic traffic metrics, privacy-first analytics tools like Plausible or Fathom don't set cookies and generally don't require consent. No banner is needed if you're not doing anything that would require one.

How to verify the fix

Re-run your site through the cookie banner checker. A passing report will show: banner present, Reject offered, no non-essential cookies on first load, and no trackers firing before consent.

Related fixes

cookies.ie is not a law firm. This page reflects current DPC guidance and common compliance patterns, but your specific situation may need legal advice.